Data protection is becoming increasingly important across Member States, and recommendations issued by the European Data Protection Supervisor during the past year are changing the European scenario.
On 29 May, EDPS Peter Hustinx presented his Annual Report in Brussels and, according to the document, the number of complaints received decreased by 20% in 2012 in comparison with 2011. In total, the supervisor got 86 complaints, and 46 of them required in-depth inquiry (54% more than in 2011), something that shows the increase of complexity related to data protection issues.
The report explains that the majority of the complaints submitted were directed against the European Commission, OLAF, the European Parliament and EPSO. Complainants alleged excessive collection, disclosure and transfer of personal data, among other violations.
However, despite all these figures might indicate that industry and institutions are willing to be pro-active and cooperate in the protection of citizens' information, lobbying from organisations is augmenting and the EDPS expressed his concern about it.
“The benefits for industry should not – and do not need to – be at the expense of our fundamental rights to privacy and data protection,” he said. Besides, he added that this lobbying is in some cases “confusing”, because they think that if the Data Protection Regulation (DPR) is approved “they will have to review their business case, something that they should have done years ago.”
Giovanni Buttarelli, Assistant Supervisor of the EDPS, stated that "data protection is entirely compatible with innovation and should not simply be ignored to make way for short term gains.”
"The right to be forgotten” is one of the elements included in the DPR and one of the most worrying rules for US companies. If approved, firms will have to remove users' data when they require it, and this might directly harm their business model.
According to the EDPS, too much importance was given to this right and he defined it as an “overstatement”, since users' right to delete information “has always been there.” He considers that an individual's data should be kept by a company if “it's necessary and it gives reasons to do so.”
After the presentation of the report at the European Parliament, Hustinx warned the EU legislator to defend against pressure from industry and third countries to lower the level of currently data protection. He said that institutions should use this situation to ensure stronger and more effective protection to EU citizens.
Despite pressure from industry, the EDPS will continue to guide the European Commission, and in 2013, he will pay special attention to Data Protection Officers (DPOs) compliance with the regulation. Furthermore, his activities will go beyond security, freedom an justice, adding sectors like health, finances and internal market.
It is not yet clear when the Data Protection package will be approved by the European Parliament, but the EDPS aims to have a positive response before the end of the current mandate, otherwise “we will have to revise it again and we will lose time.”